Jaroslav Pinkava May 2001 Certification Authority in Praxis. Security Aspects. Conference Security and Protection of Information Ing. Jaroslav Pinkava, CSc. AEC spol. s r.o.  Norman Czech Republic

Jaroslav Pinkava May 2001 Introduction some overview of the most important security character problems tied with functionality of certification authority cryptographic side CP + CPS EU standards in preparation. EESSI: ETSI + CEN/ISSS

Jaroslav Pinkava May 2001 Certification Policy set of rules that indicates the applicability of a certificate to a particular community and/or class of application with common security requirements The assessed set of certificate policies is then indicated by the issuing CA in the CA-certificate.

Jaroslav Pinkava May 2001 Certification Policy The following extension fields in an X.509 certificate are used to support certificate policies: Certificate Policies extension; Policy Mappings extension; Policy Constraints extension.

Jaroslav Pinkava May 2001 Certification Practice Statement A statement of the practices which a certification authority employs in issuing certificates. form of a declaration by the certification authority of the details of its trustworthy system and the practices it employs in its operations and in support of issuance of a certificate, or it may be a statute or regulation applicable to the certification authority and covering similar subject matter.

Jaroslav Pinkava May 2001 Certification Practice Statement CPS should indicate any of the widely recognized standards to which the certification authority's practices conform. generally be more detailed than certificate policy definitions.

Jaroslav Pinkava May 2001 CPS versus CP detailed CPS does not form a suitable basis for interoperability between CAs operated by different organizations. Rather, certificate policies best serve as the vehicle on which to base common interoperability standards and common assurance criteria on an industry-wide (or possibly more global) basis.

Jaroslav Pinkava May 2001 Security problems connected with CA functioning Physical Security Controls Procedural Controls Personnel Security Controls

Jaroslav Pinkava May 2001 Technical security controls Key Pair Generation and Installation; Private Key Protection; Other Aspects of Key Pair Management; Activation Data; Computer Security Controls; Life-Cycle Security Controls; Network Security Controls; and Cryptographic Module Engineering Controls.

Jaroslav Pinkava May 2001 Forthocoming EU Standards Final report EESSI European Directive on Electronic Signatures, December 1999 “Member States shall bring into force the laws, regulations and administrative provisions necessary to comply with this Directive before 19 July 2001”.

Jaroslav Pinkava May 2001 EESSI SG EESSI: European Electronic Signature Standardization Initiative European Telecommunications Standards Institute

Jaroslav Pinkava May 2001 EESSI Standards Overview Signature creation process and environment Signature validation process and environment Signature format and syntax Creation device Qualified Certificate policy Trustworthy system Certification Service Provider Subscriber/signer Relying party CEN E-SIGN ETSI ESI Qualified certificate

Jaroslav Pinkava May 2001 EESSI The last slide is from presentation: György Endersz, Telia Research AB, Sweden Chairman ETSI ESI Working Group on workshop of European Electronic Signature Standardisation Initiative - Barcelona September 2000

Jaroslav Pinkava May 2001 References ETSI: Sign up from Web-site to open El Sign mailing list CEN: EESSI: homepage.htm ISSE Conference & Workshops:

Jaroslav Pinkava May 2001 ETSI - Policy Requirements for CSPs Issuing Qualified Certificates; - Qualified Certificates Profile; - Time Stamping Profile; - Electronic Signature Formats. (finalized)

Jaroslav Pinkava May 2001 ETSI Security management and policy requirements for CSPs issuing time stamps - Policy requirements for CAs issuing other than Qualified Certificates - Policies for CSP's - Electronic Signature syntax and encoding formats in XML - Technical aspects of signature policies (Informative annex to TS ) - Infrastructure and interoperability requirements for provision of status information on Certification Service Providers

Jaroslav Pinkava May 2001 CEN/ISSS Area D Security Requirements for Trustworthy Systems Managing Certificates for Electronic Signatures New area D2 security requirements for cryptographic modules used in trustworthy systems run by CSPs issuing qualified certificates

Jaroslav Pinkava May 2001 CEN/ISSS Area F Secure Signatur-Creation Devices, version 'EAL 4', version 'EAL 4+', two approved versions

Jaroslav Pinkava May 2001 CEN/ISSS Area G1 Security Requirements for Signature Creation Systems (approved)

Jaroslav Pinkava May 2001 CEN/ISSS Area G2 Procedures for Electronic Signature Verification (approved)

Jaroslav Pinkava May 2001 CEN/ISSS Area V EESSI Conformity Assessment Guidance Part 1: General (approved) Part 2: Certification Authority services and processes (approved) Part 3:Trustworthy systems managing certificates for electronic signatures Part 4:Signature creation applications and procedures for electronic signature verification Part 5: Secure signature creation devices

Jaroslav Pinkava May 2001 CEN/ISSS -New areas in 2001 Area AA Extension of SSCD requirements towards specific applications/environments and towards e-commerce applications - Art5.2 Area K Requirements for smart cards used as SSCD

Jaroslav Pinkava May 2001 Thanks for Your Attention.